The Hidden Risks of Multi-User Biometrics

Introduction

In the current digital era, smartphones hold the key to almost every aspect of our lives. They are already linked to our shopping accounts, banks, smart devices, Bluetooth devices, and even our cars. It is no surprise that the need for enhanced security measures has become so important. Biometric technology has emerged as a promising solution, offering convenient and efficient ways to authenticate our identities. No doubt it is better than existing security measures but like every technology, it comes with its own set of disadvantages. In this blog, we will dive into the pros and cons of biometric technology so that you can make an informed decision about whether it is right for your business.

 

Why is Biometric Authentication used?

Traditionally, biometric authentication such as fingerprint or face recognition is designed to authenticate a single user. It assumed that a mobile is a device for personal use. However, this assumption is not always correct. In a family, generally, more than one person has access to the same device. In an organization, the devices might be shared amongst different users as per their shift timings or as a single number for customer support or any such use cases. Since biometric authentication makes access easy, it is mostly enabled in all such cases for multiple users. Somehow, we trust that the other person may leak the passcode or PIN if they know, but they will not be able to leak the fingerprint information and that is true to an extent. Both Apple and Google have inbuilt features to keep users’ biometric identity safe. It can be used for validation, but it may not be possible to copy it. Then what is the real issue in this case?

 

The Real Issue

The issue is that when the apps installed on such devices rely purely on biometric authentication, there is no way to determine whether the user whose biometrics were used was the intended user of the app or not. Let’s understand it by example. If I am the owner of a phone and I have a banking app or a shopping account that authenticates me using my biometrics for payments or purchases, there that app will provide the same access to any other user whose biometrics are registered on the same device. It could be my colleague, my children, or any other person whom I trust and whose biometrics are registered. It is mainly because the on-device biometric authentication does not validate which user was supposed to get access at an app level. It only validates whether the current fingerprint was registered for device access or not. The same is true for two different fingers of the same person.

 

What can be done?

Since we now know about the issue, let’s see what we can do as a business owner and as a user.

Business Owners

As a business owner, we should start treating devices as shared devices and design app access use-cases keeping this in mind. The business should not expose any Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) just based on biometric authentication. Apps that enable financial transactions should not proceed purely based on biometric validations. They should implement a mechanism to validate such critical use cases by asking users to enter some PIN specifically enabled for the app being used. Using Multi-factor Authentication (MFA) like OTP via SMS, email, and voice calls could be another option but since most of the time, SMS and email might be enabled on the same device, it could defeat the purpose. So, it may be avoided. These measures may cause some inconvenience to users but will instill confidence in them that their accounts are secure.

Users

As a user of such a device, when a new biometric identity is added to a device, it should be ensured that an app lock mechanism is enabled. In all device operating systems, there is a feature where you can enable PIN for accessing apps that are not meant to be used by any other person who may be sharing your device. e.g. You might not want to share your banking app with your children, but you might want to allow them to buy anything on a shopping account. In such cases, access to banking apps can be enabled via PIN which you know as a user. This PIN is different from device unlock PIN so definitely an added layer of security.

Mobile Operating System Developers

As mobile Operating System developers, Apple and Google can also do a bit to handle such issues. Currently, there is no way for developers to know which biometric authentication was done by which of the many registered fingerprints. If the OS provides an enhancement to know the named value of such biometrics, app developers can ask users to enable one or many of them for access to the app. e.g. A user may enable his index finger for the Banking app and his middle finger for the shopping app. Similarly, he may enable his fingerprint for all apps and a child’s fingerprint for only shopping apps. This can then ensure that apps are being used by intended users only.

 

Conclusion

While biometric technology offers enhanced security, its application in shared environments poses challenges. Businesses must implement additional security layers, like app-specific PINs, to mitigate risks. Users should proactively enable App lock and other such features to ensure restricted app access on shared devices. Operating system enhancements, enabling developers to identify specific biometrics used, could significantly improve security protocols. In the dynamic landscape of digital interactions, a balance between convenience and robust security measures is imperative for the seamless integration of biometric technology.

Author Details

Gaurav Goyal

Gaurav has more than 20 years of experience. He specializes in designing and architecting highly modular apps for mobile. He has worked with clients and teams across US, UK, Australia and Singapore.

COMMENTS(1)

Leave a Comment

Your email address will not be published. Required fields are marked *